Cybersecurity researchers at F5 have issued an urgent warning regarding a severe security flaw affecting their BIG-IP APM systems. Originally, the issue was dismissed as a minor technical glitch, but it has been re-categorised as a major threat following new evidence found in March 2026.
For your information, this technology is used by several large organisations to manage how staff log in to private networks.
F5 researchers noted that the issue, tracked as CVE-2025-53521, allows attackers to send malicious traffic to a server to take complete control of it. In simple terms, this leads to Remote Code Execution (RCE), meaning unauthorised individuals could run their own commands on a company’s hardware from anywhere in the world without a password.
From Minor Glitch to Major Threat
This discovery follows a high-profile incident reported by Hackread.com in October 2025, where F5 confirmed it was the victim of a state-sponsored cyberattack. While F5 noted then that their update mechanisms remained safe, this latest flaw represents a new and urgent danger.
Earlier investigations suggested this was merely a Denial-of-Service problem, an attack that simply crashes a system. However, further probing revealed a much more dangerous reality: the flaw is actually a memory-handling error that lets attackers bypass security entirely to plant malicious software. Because of this, the severity score has been pushed to a 9.8 out of 10, marking it as a critical emergency.
Identifying At-Risk Systems
According to researchers, the danger is concentrated on the apmd process within specific versions of the software. The systems most at risk include the 17.x, 16.x, and 15.x branches of the BIG-IP APM. However, many of F5’s newer products have been cleared of this risk, and the BIG-IP Next range, NGINX, and the F5 AI Gateway are not vulnerable.
It is worth noting that this flaw only becomes a ‘live’ threat if a specific access policy is turned on. According to researchers, “this vulnerability has been exploited in the vulnerable BIG-IP versions,” which basically means hackers are already using this “open door” to break into systems.
Signs of a Digital Break-In
To help businesses identify if they have been targeted, F5 released a list of Indicators of Compromise on 27 March 2026. This report provides details on c05d5254, a specific type of malicious software that attackers plant on systems to maintain control after a break-in.
This software is designed to be stealthy; once a system is infected, hackers might hide their activity by making web traffic look like harmless website design code (CSS files) to trick monitors.
Further investigation revealed several red flags, such as the presence of unusual files like /run/bigtlog.pipe and changes to the digital “fingerprints” of standard files like /usr/bin/umount. Additionally, the system’s integrity tool, sys-eicheck, may fail, and logs might show a local user named f5hubblelcdadmin trying to disable security protections.
As we know it, the safest move is to install the latest official patches immediately. If you do not know exactly when a system was hacked, researchers at F5 suggest rebuilding from scratch because “UCS files from compromised systems can contain persistent malware.”
Industry Experts Weigh In
Several industry leaders shared their insights on the situation with Hackread.com, including John Bambenek, President at Bambenek Consulting, stating that “This vulnerability is more of a classic denial of service in that the device would crash. Given that we are talking about access management, it would disrupt remote employees the most. While attackers in times of geopolitical conflict are not above using DoS attacks, they tend to focus their efforts on classic flooding DDoS attacks that require low sophistication to deploy.”
“That being said, the DoS component of this vulnerability has been known; the change is that it was discovered this vulnerability could also be used for remote code execution, which is why there is a new advisory,“ he added.
David Brumley, Chief AI and Science Officer at Bugcrowd, explained that “This is an all-hands-on-deck moment for F5 customers. What looked like a denial of service bug is actually a remote takeover, and attackers are already using it.“
Deeba Ahmed
